Opened 2 years ago

Last modified 18 months ago

#22584 assigned defect

More RWX memory pages for TBB on some Windows versions

Reported by: arthuredelstein Owned by: tom
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-security
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by arthuredelstein)

A cypherpunk has reported some RWX memory pages were observed for Tor Browser on Windows 7 and Windows 10. See:

Child Tickets

Change History (19)

comment:1 Changed 2 years ago by arthuredelstein

Description: modified (diff)

comment:2 Changed 2 years ago by cypherpunks

ticket:21617#comment:4 is about about:memory in Tor Browser, where under Other Measurements section it shows general information from MEMORY_BASIC_INFORMATION about memory address space for each process separately. execute-readwrite in image means RWX pages in executable images (EXEs, DLLs).

comment:3 Changed 2 years ago by cypherpunks

ticket:21617#comment:7 shows that with, e.g. Process Hacker, it's possible to find out what images have RWX pages. Those 2 images belong to Windows 7: its part, known as Media Foundation (itself and audio codec). The most recent version of Windows 10 doesn't have this problem.
To force Firefox to load MF you can use https://www.youtube.com/html5

comment:4 Changed 2 years ago by cypherpunks

ticket:21617#comment:14 is about softokn3.dll and freebl3.dll have W^X pages on Windows 10 (15063) for unknown reason.
about:support page is a good way to force lazyloaders in Firefox to load DLLs.

comment:5 in reply to:  4 Changed 2 years ago by cypherpunks

Replying to cypherpunks:

ticket:21617#comment:14 is about softokn3.dll and freebl3.dll have W^X pages on Windows 10 (15063) for unknown reason.

The same happens on Windows 7 right from the start (chrome process only). And it's a great improvement since 6.5, where much more libs had W^X pages.

comment:6 Changed 2 years ago by arthuredelstein

Thanks for these very useful details!

comment:7 in reply to:  4 Changed 2 years ago by arthuredelstein

Replying to cypherpunks:

ticket:21617#comment:14 is about softokn3.dll and freebl3.dll have W^X pages on Windows 10 (15063) for unknown reason.
about:support page is a good way to force lazyloaders in Firefox to load DLLs.

I'm able to reproduce the RWX pages for these two DLLs. They are all labeled ".text", which leads me to assembly code in the freebl and softoken parts of the mozilla codebase. But I don't see anything in the code explicitly requesting RWX or X/COW memory.

Interestingly, I don't see these RWX pages in the latest release version of Firefox. And, if I build tor-browser.git using ./mach build on Windows, I also don't see any RWX pages. That suggests to me that the RWX pages observed in TBB may be related to how we are building tor-browser.git with mingw32-gcc.

Last edited 2 years ago by arthuredelstein (previous) (diff)

comment:8 Changed 2 years ago by cypherpunks

TBB 7.5a1 on Win 7: 10 private RWX pages are observable.

│    │       ├──0.04 MB (00.00%) ── execute-readwrite(segments=1)
0x4260000, Private: Commit, 40 kB, RWX
Last edited 2 years ago by cypherpunks (previous) (diff)

comment:9 in reply to:  8 ; Changed 2 years ago by arthuredelstein

Replying to cypherpunks:

TBB 7.5a1 on Win 7: 10 private RWX pages are observable.

│    │       ├──0.04 MB (00.00%) ── execute-readwrite(segments=1)
0x4260000, Private: Commit, 40 kB, RWX

Thanks. Could you check what DLLs (or exe) these pages are associated with? VMMap will tell you (https://technet.microsoft.com/en-us/sysinternals/vmmap.aspx).

comment:10 Changed 2 years ago by arthuredelstein

I did some more investigation and posted a question on the mingw-w64 help discussion board: https://sourceforge.net/p/mingw-w64/discussion/723798/thread/2f2c014b/

comment:11 in reply to:  9 ; Changed 2 years ago by cypherpunks

Replying to arthuredelstein:

Replying to cypherpunks:

TBB 7.5a1 on Win 7: 10 private RWX pages are observable.

│    │       ├──0.04 MB (00.00%) ── execute-readwrite(segments=1)
0x4260000, Private: Commit, 40 kB, RWX

Thanks. Could you check what DLLs (or exe) these pages are associated with? VMMap will tell you (https://technet.microsoft.com/en-us/sysinternals/vmmap.aspx).

Well, it's a private block of the main firefox.exe process.

comment:12 in reply to:  10 Changed 2 years ago by cypherpunks

Replying to arthuredelstein:

I did some more investigation and posted a question on the mingw-w64 help discussion board: https://sourceforge.net/p/mingw-w64/discussion/723798/thread/2f2c014b/

Maybe, it would be easier to track this down with Tor Expert Bundle first. Compiling without SSP and then without all flags could also help.

comment:13 Changed 2 years ago by cypherpunks

Some linker fun:

--enable-auto-import
    Do sophisticated linking of _symbol to __imp__symbol for DATA imports from DLLs, and create the necessary thunking symbols when building the import libraries with those DATA exports. Note: Use of the 'auto-import' extension will cause the text section of the image file to be made writable. This does not conform to the PE-COFF format specification published by Microsoft. 

comment:14 in reply to:  11 Changed 2 years ago by cypherpunks

Replying to cypherpunks:

Replying to arthuredelstein:

Replying to cypherpunks:

TBB 7.5a1 on Win 7: 10 private RWX pages are observable.

│    │       ├──0.04 MB (00.00%) ── execute-readwrite(segments=1)
0x4260000, Private: Commit, 40 kB, RWX

Thanks. Could you check what DLLs (or exe) these pages are associated with? VMMap will tell you (https://technet.microsoft.com/en-us/sysinternals/vmmap.aspx).

Well, it's a private block of the main firefox.exe process.

In 7.5a4 content process has a similar block (with different data in it).
Main process has another one 4K RWX private page.

comment:15 in reply to:  3 Changed 2 years ago by cypherpunks

Status: newneeds_information

Replying to cypherpunks:

ticket:21617#comment:7 shows that with, e.g. Process Hacker, it's possible to find out what images have RWX pages. Those 2 images belong to Windows 7: its part, known as Media Foundation (itself and audio codec). The most recent version of Windows 10 doesn't have this problem.
To force Firefox to load MF you can use https://www.youtube.com/html5

Maybe, Tom Ritter could write an official letter to Microsoft?

comment:16 Changed 19 months ago by cypherpunks

Please add #22917 as --enable-auto-import is still making holes.

comment:17 in reply to:  16 ; Changed 19 months ago by gk

Replying to cypherpunks:

Please add #22917 as --enable-auto-import is still making holes.

Which holes are due to --enable-auto-import? I.e. they go away if compiled with --disable-auto-import?

comment:18 in reply to:  17 Changed 19 months ago by cypherpunks

Replying to gk:

Replying to cypherpunks:

Please add #22917 as --enable-auto-import is still making holes.

Which holes are due to --enable-auto-import? I.e. they go away if compiled with --disable-auto-import?

Unfortunately, Arthur's patch of --enable-auto-import isn't sufficient. Disabling this bug-or-feature is the right way to go.
(also lld doesn't have it)

Last edited 19 months ago by cypherpunks (previous) (diff)
Note: See TracTickets for help on using tickets.